[Pdns-users] pdns-recursor - Recursor options to ignore when authoritative server does not set the AA bit in DNS reply

Caleb Bontrager cbontrager at gmail.com
Wed Apr 15 14:37:28 UTC 2020 

Running pdns-recursor 4.2.1, I'm encountering an issue where the
pdns-recursor returns a SERVFAIL to the client on domains that are
resolvable by pretty much any public DNS resolver - Level3, Google,
OpenDNS, Comcast, etc.

I understand from tracing the query (rec_control trace-regex) and from
reading that the default behavior of pdns-recursor is that if it receives a
response that does not have the AA bit set, the answer is discarded and the
next authoritative server for the domain is tried. This seems like a very
reasonable default behavior and obvious from the recursor trace logs.

In reading https://github.com/PowerDNS/pdns/issues/8513, it appears the
current ability in handling this is to configure forward-zones or
forward-zones-recurse to treat the zone as a recursing zone and not require
the AA bit set in replies. Obviously, this is less than desirable when the
upstream dns server is external and the authoritative server addresses may
change at any time without warning or coordination.

The question I have is if there is a configuration ability to remove the AA
bit requirement for resolution? Or is the forward-zone configuration the
only option available to handle this scenario? Of course other than the
offending operator correcting their configuration.

Recursor trace output below...

Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept
answer 'mtdnstri.mt.gov|A|161.7.129.10' from 'gov' nameservers? ttl=86400,
place=3 YES!
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept
answer 'mtdnspri.mt.gov|A|161.7.38.10' from 'gov' nameservers? ttl=86400,
place=3 YES!
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept
answer 'mtdnssec.mt.gov|A|161.7.38.11' from 'gov' nameservers? ttl=86400,
place=3 YES!
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT
answer '.' from 'gov' nameservers
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone
status Indeterminate for record mtdnssec.mt.gov|A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone
status Indeterminate for record mtdnspri.mt.gov|A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone
status Indeterminate for record mtdnstri.mt.gov|A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone
status Indeterminate for record mt.gov|NS
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
determining status after receiving this packet
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS
record 'mt.gov' -> 'mtdnstri.mt.gov.'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS
record 'mt.gov' -> 'mtdnspri.mt.gov.'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS
record 'mt.gov' -> 'mtdnssec.mt.gov.'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
status=did not resolve, got 3 NS, looping to them
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov.:
Nameservers: mtdnstri.mt.gov(16.59ms), mtdnspri.mt.gov(24.33ms),
mtdnssec.mt.gov(24.83ms)
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
to resolve NS 'mtdnstri.mt.gov' (1/3)
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
Wants NO DNSSEC processing, NO auth data in query for A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
Looking for CNAME cache hit of 'mtdnstri.mt.gov|CNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
Looking for DNAME cache hit of 'gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
Looking for DNAME cache hit of 'mt.gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
No CNAME or DNAME cache hit of 'mtdnstri.mt.gov' found
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
Found cache hit for A: 161.7.129.10[ttl=86400]
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnstri.mt.gov:
updating validation state with cache content for mtdnstri.mt.gov to
Indeterminate
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
Resolved 'mt.gov' NS mtdnstri.mt.gov to: 161.7.129.10
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
IP 161.7.129.10:53, asking 'leg.mt.gov|A'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2
answers from mtdnstri.mt.gov (161.7.129.10), rcode=0 (No Error), aa=0, in
54ms
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record '
leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set
received from mt.gov
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT
answer '.' from 'mt.gov' nameservers
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
determining status after receiving this packet
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
to resolve NS 'mtdnspri.mt.gov' (2/3)
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
Wants NO DNSSEC processing, NO auth data in query for A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
Looking for CNAME cache hit of 'mtdnspri.mt.gov|CNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
Looking for DNAME cache hit of 'gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
Looking for DNAME cache hit of 'mt.gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
No CNAME or DNAME cache hit of 'mtdnspri.mt.gov' found
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
Found cache hit for A: 161.7.38.10[ttl=86400]
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnspri.mt.gov:
updating validation state with cache content for mtdnspri.mt.gov to
Indeterminate
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
Resolved 'mt.gov' NS mtdnspri.mt.gov to: 161.7.38.10
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
IP 161.7.38.10:53, asking 'leg.mt.gov|A'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2
answers from mtdnspri.mt.gov (161.7.38.10), rcode=0 (No Error), aa=0, in
81ms
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record '
leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set
received from mt.gov
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT
answer '.' from 'mt.gov' nameservers
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
determining status after receiving this packet
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
to resolve NS 'mtdnssec.mt.gov' (3/3)
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
Wants NO DNSSEC processing, NO auth data in query for A
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
Looking for CNAME cache hit of 'mtdnssec.mt.gov|CNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
Looking for DNAME cache hit of 'gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
Looking for DNAME cache hit of 'mt.gov|DNAME'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
No CNAME or DNAME cache hit of 'mtdnssec.mt.gov' found
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
Found cache hit for A: 161.7.38.11[ttl=86399]
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547]    mtdnssec.mt.gov:
updating validation state with cache content for mtdnssec.mt.gov to
Indeterminate
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
Resolved 'mt.gov' NS mtdnssec.mt.gov to: 161.7.38.11
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying
IP 161.7.38.11:53, asking 'leg.mt.gov|A'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2
answers from mtdnssec.mt.gov (161.7.38.11), rcode=0 (No Error), aa=0, in
81ms
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record '
leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set
received from mt.gov
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT
answer '.' from 'mt.gov' nameservers
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov:
determining status after receiving this packet
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Failed
to resolve via any of the 3 offered NS at level 'mt.gov'
Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: failed
(res=-1)


I appreciate any guidance.

Best,

--Caleb

Caleb Bontrager
Milford, DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200415/e6309c33/attachment.htm>

More information about the Pdns-users mailing list